what http/https/ftp/smts proxy/relay to use on a network f..

tom winter · External Since: Mar 20, 2007 Posts: 3

Hi

i'm trying to replace an ISA server used as proxy for incoming
connections to a web and a mail server with a linux box.
The iptables part is clear, also squid as proxy for client web access...
but What can be used for layer 3 proxies for server publications?

http proxy should be able to:
termination https connections (use http to internal servers)
handle (s)ftp (maybe a separate component)
link translation (replace internal links from the https servers)
no chaching needed

smtp relay (or proxy) should be able to
deny smtp sessoins for unknown recipients
use blacklists

thanks
tom

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Ansgar -59cobalt- Wiecher · External Since: Dec 06, 2004 Posts: 12

On 2007-03-20 tom winter wrote:
> i'm trying to replace an ISA server used as proxy for incoming
> connections to a web and a mail server with a linux box.
> The iptables part is clear, also squid as proxy for client web access...
> but What can be used for layer 3 proxies for server publications?

What exactly is a "layer 3 proxy for server publications" supposed to
be?

> http proxy should be able to:
> termination https connections (use http to internal servers)

Why would you want to break https?

> handle (s)ftp (maybe a separate component)

Why would you want to break ssh?

> link translation (replace internal links from the https servers)
> no chaching needed

Apache can be used as a reverse proxy.

> smtp relay (or proxy) should be able to
> deny smtp sessoins for unknown recipients
> use blacklists

I'd recommend Postfix, though virtually any MTA should do.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Léo_Goehrs · External Since: Mar 21, 2007 Posts: 1

>>What exactly is a "layer 3 proxy for server publications" supposed to
>>be?

I Would say this is how Microsoft ISA Works. You decide what resources you publish.

>>> http proxy should be able to:
>>> termination https connections (use http to internal servers)

>>Why would you want to break https?

To Decrease the load on the back end server. This is a feature of ISA. ISA is able to handle the SSL part and terminate it.

>>> handle (s)ftp (maybe a separate component)

>>Why would you want to break ssh?

Who is talking of ssh ?

Leo Goehrs

Ralf_Döblitz · External Since: Dec 07, 2004 Posts: 2

--On Dienstag, März 20, 2007 21:47:23 +0100 tom winter
<Omega42.RemoveThis@abwesend.de> wrote:
[...]
> http proxy should be able to:
> termination https connections (use http to internal servers)
[...]
> link translation (replace internal links from the https servers)

You can do these two tasks with Apache. Just use the proxy and rewriting
modules to fetch the pages from the internal servers. There is a module to
rewrite internal links IIRC, but I prefer to use the canonical name for the
internal servers too and access them through an alias. This way the
internal servers produce the correct links right from the start without
need for output filtering.

Ralf Döblitz
--
Ralf Döblitz asco GmbH Amtsgericht Braunschweig
r.doeblitz.RemoveThis@asco.de Mittelweg 7 HRB 5035
Tel 0531/3906-116 38106 Braunschweig Geschäftsführer
Fax 0531/3906-400 http://www.asco.de Jochen Grote

Ansgar -59cobalt- Wiecher · External Since: Dec 06, 2004 Posts: 12

On 2007-03-21 Léo Goehrs wrote:
>> What exactly is a "layer 3 proxy for server publications" supposed to
>> be?
>
> I Would say this is how Microsoft ISA Works. You decide what resources
> you publish.

I am not familiar with ISA server. Which kind of "resources" is going to
be "published"? And what does that have to do with layer 3?

[...]
>>> handle (s)ftp (maybe a separate component)
>>
>> Why would you want to break ssh?
>
> Who is talking of ssh ?

Ah, I was misreading "(s)ftp" as (ssh-)"sftp". My bad.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

tom winter · External Since: Mar 20, 2007 Posts: 3

Hi Ansgar,

Ansgar -59cobalt- Wiechers wrote:
> On 2007-03-20 tom winter wrote:
....

> What exactly is a "layer 3 proxy for server publications" supposed to
> be?
MS termiminology.. servers that have to remain inside the lan are
'published'. E.g. the intranet web server has to have AD and database
connections, so it can't be moved to a dmz easily.

>> http proxy should be able to:
>> termination https connections (use http to internal servers)

> Why would you want to break https?
Because of the necessary address translations. The connection to that
web server is secure (separate switch, switch and cables not reachable
for anyone but IT).
eg. internal link file://server/share -> erxternal ftp://server/dir
I know, this could be done by script, but i have little influence on our
web programmer.

>> handle (s)ftp (maybe a separate component)
>
> Why would you want to break ssh?

the original ftp server no capabilities ssl at all. i hope to add that
on the gateway.

bye,
tom

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

Ansgar -59cobalt- Wiecher · External Since: Dec 06, 2004 Posts: 12

On 2007-03-21 tom winter wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> On 2007-03-20 tom winter wrote:
>> What exactly is a "layer 3 proxy for server publications" supposed to
>> be?
>
> MS termiminology.. servers that have to remain inside the lan are
> 'published'. E.g. the intranet web server has to have AD and database
> connections, so it can't be moved to a dmz easily.

Ah, I see, you mean connections from hosts in the DMZ into the LAN?
You'll need to manually allow the ports required for the services you
want to be 'published'. Personally I'd prefer to avoid something like
that, though, and rather replicate the data or move the servers to a DMZ
of their own, that can be accessed from both the "public" DMZ and the
LAN.

>>> http proxy should be able to:
>>> termination https connections (use http to internal servers)
>>
>> Why would you want to break https?
>
> Because of the necessary address translations. The connection to that
> web server is secure (separate switch, switch and cables not reachable
> for anyone but IT).
> eg. internal link file://server/share -> erxternal ftp://server/dir
> I know, this could be done by script, but i have little influence on our
> web programmer.
>
>>> handle (s)ftp (maybe a separate component)
>>
>> Why would you want to break ssh?
>
> the original ftp server no capabilities ssl at all. i hope to add that
> on the gateway.

Yeah, misunderstanding on my part. AFAICS reverse proxying of both HTTP
and FTP connections should be doable with Apache's mod_proxy [1].
Haven't done this myself before, though, so take it with a grain of
salt.

[1] http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

tom winter · External Since: Mar 20, 2007 Posts: 3

Ansgar -59cobalt- Wiechers wrote:
> On 2007-03-21 tom winter wrote:
>> Ansgar -59cobalt- Wiechers wrote:
>>> On 2007-03-20 tom winter wrote:
>>> What exactly is a "layer 3 proxy for server publications" supposed to
>>> be?
>> MS termiminology.. servers that have to remain inside the lan are
>> 'published'. E.g. the intranet web server has to have AD and database
>> connections, so it can't be moved to a dmz easily.
>
> Ah, I see, you mean connections from hosts in the DMZ into the LAN?
> You'll need to manually allow the ports required for the services you
> want to be 'published'. Personally I'd prefer to avoid something like
> that, though, and rather replicate the data or move the servers to a DMZ
> of their own, that can be accessed from both the "public" DMZ and the
> LAN.

it's even worse: in a standard ISA setup, all layer two filtering and
all Proxies are done on the same machine and all running with local
system (~ root) privileges.

Thanks,
also thanks to Léo and Ralph

Tom

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org

user · External Since: Jun 16, 2007 Posts: 1

free shipping
compare phentermine
discount phentermine

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org